aa-ebpf 0.0.1-alpha.8

eBPF-based kernel-level monitoring hooks for Agent Assembly
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

//! Syscall kind classification for file I/O kprobes.

use core::fmt;

/// Identifies which file-related syscall was intercepted by a kprobe.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
#[repr(u8)]
pub enum SyscallKind {
    /// `sys_openat` — open or create a file.
    Openat = 0,
    /// `sys_read` — read from a file descriptor.
    Read = 1,
    /// `sys_write` — write to a file descriptor.
    Write = 2,
    /// `sys_unlink` — delete a file.
    Unlink = 3,
    /// `sys_rename` — rename or move a file.
    Rename = 4,
}

impl fmt::Display for SyscallKind {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Openat => write!(f, "openat"),
            Self::Read => write!(f, "read"),
            Self::Write => write!(f, "write"),
            Self::Unlink => write!(f, "unlink"),
            Self::Rename => write!(f, "rename"),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn display_formats_as_lowercase_syscall_name() {
        assert_eq!(SyscallKind::Openat.to_string(), "openat");
        assert_eq!(SyscallKind::Read.to_string(), "read");
        assert_eq!(SyscallKind::Write.to_string(), "write");
        assert_eq!(SyscallKind::Unlink.to_string(), "unlink");
        assert_eq!(SyscallKind::Rename.to_string(), "rename");
    }

    #[test]
    fn repr_values_are_sequential() {
        assert_eq!(SyscallKind::Openat as u8, 0);
        assert_eq!(SyscallKind::Read as u8, 1);
        assert_eq!(SyscallKind::Write as u8, 2);
        assert_eq!(SyscallKind::Unlink as u8, 3);
        assert_eq!(SyscallKind::Rename as u8, 4);
    }
}